Friday, June 4, 2010

During a recent discussion at work, the benefits of a sound security program outside of the context of repelling malicious assaults came up. What would be the gain of a security program if there was no one attempting to break into a network? How would the role of security for Information Technology change? Would security careers come to a crashing halt?To give the discussion a framework, the following parameters were agreed upon:

Suddenly everybody in the world is neither malicious nor unscrupulous.

While there is still competition in industry, it is driven only by the idea that each competitor in an industry will attempt to outperform their competition by creating better products at a lower cost, but there will be no espionage or market for trade secrets.

Nobody is intentionally harming the network or systems, so there will be no worms, Trojans, or computer viruses.

This is global, so as to remove the possibility of foreign attackers, military or otherwise.

People would still be capable of errors and would have disagreements founded in misunderstanding, but these disagreements would be settled through mediation or court, or rock-paper-scissors.

We talked about this for a while, but had no way to quantify either side of the argument.

So in this world with “No bad guys, period.” what benefit would there be to a security program? What would be areas where things would remain the same? What would be able to be removed from a security program? What does this mean to how we look at security programs as they currently exist?

To make things simple I thought it would be easiest to measuring what percentages of change would occur in a recognized Information Security Management Standard, BS7799. This way I could determine what changes would occur to security programs more globally. By using a recognized standard I felt it would be more appropriate than what one company or another might find useful for their individualized needs.

The next step was to go through the standard and determine if its components would stay or go. To do this an audit checklist of the BS7799 by Val Thiagarajan, available through SANS, was used to concisely summarize the intent of the standard, as it’s directed questioning leads to each sections focus. The results, with the rationale used in determining each section decided fate, assuming this is a standards based program for a medium sized business, founded on the three principals of security; availability, integrity, and confidentiality, can be found here:

By tallying up the results, albeit subjectively, it was found that even without “bad guys”, 77.95 percent of the BS7799 is still applicable. This bodes well for justification of a security program, even in a world free of bad guys. Unsurprisingly, based on the outlined framework in which the subject was approached, for a medium business, the dramatic swing away from confidentiality towards integrity and availability maintained the need of a security program. Availability and integrity are key to processing orders, a major factor in most businesses. What was surprising was the extent to which the standard approached these two areas, given the amount of emphasis typically seen in security postings on mitigating against attackers. It crystallized further during this process how underrepresented the principles of availability and integrity are in most security conversations, given their weight. I hear a lot of “What will you do if this box gets compromised?” and very little “What is your plan if your RAID array gets corrupted?” at the speaking engagements I go to. Without paying attention to these core concepts the program can get very lopsided.

Hopefully this will help lend perspective to anyone that a hacker hasn’t yet breached that there is a need for a sound security program. Furthermore, this will hopefully guide people towards looking into their business continuity programs to revisit how impactful their systems can be on cash coming in to their businesses, and how important it is to develop a security program with processes in place to ensure access to and/or with the foresight to recover these systems.

Even without bad guys security would play a vital role for Information Technology, though it may change its name to “Continuity Planning”.

Wednesday, June 2, 2010

Recently a study was released by Forrester Research Inc. titled “The Value of Corporate Secrets.” To summarize, it basically goes on to state that although most security programs are driven by compliance regulations, perhaps organizations need to do a better job of securing trade secrets since it has been shown that company secrets (trade secrets, strategic plans, etc) are more valuable then custodial data (i.e. PII, credit card numbers, government identifiers, etc). The full study is available at the below link:

This study originally caught my eye mainly because it was linked on Slashdot.com with the title “Compliance is Wasted Money, Study Finds.” After reading the study, I am not sure Forrester actually would agree with this statement as much as it is Slashdot’s own interpretation of the study. Forrester breaks down this study into five different sections which I will discuss in subsequent blogs. In this first blog post I will discuss the first section of the study, all leading to what I consider a fairly ignorant title to a study posted by Slashdot and most likely immature conclusions by Forrester.Company Secrets Comprise Two-Thirds of the Value of Firm’s Information Portfolios

Forrester Finding: For this survey, we asked respondents to identify the five most valuable assets in their information portfolios out of 17 possible types of information ranging from sales forecasts to cardholder data. For purposes of simplicity, we constrained the maximum value to $1 million. On average, enterprises valued their top five assets at $2.7 million in aggregate. Significantly, two-thirds of the value comes from secrets, not custodial data.

My question to the above is what exactly did Forrester use as a control during this survey? In any scientific experiment, groups are treated EXACTLY alike except for the ONE variable being tested at a time. Since I am going to go ahead and assume that this survey took place across many different industries with varying levels of annual revenue and organizational structure and controls, there are too many variables to consider this number to be an accurate representation of the value of corporate assets based on Forrester’s research.

First, organizations vary in organizational structure. The study only says that it interviewed 305 different IT security decision makers. The only reason I bring this up is because in smaller organizations, perhaps the CEO acts as the IT security decision maker as opposed to larger organizations where a CSO might be granted those responsibilities. Asking a CSO and a CEO what their most critical assets are most times is going to result in different answers.

Secondly, did Forrester survey only those organizations which have good asset and data classification programs? This would be very hard for me to believe being that from my experience these types of programs are non-existent in smaller to mid-size organizations. So once again, assuming that Forrester was not able to survey just those organizations which have good asset and data classification programs, how could the person being interviewed actually give an accurate answer as to what their 5 most critical assets are and then proceed to place a dollar amount on them?

Finally, even if we assume this survey to be correct and two-thirds of the firm’s value is in their company secrets, what is not addressed is the potential impact other than a dollar amount that may be incurred by an organization if company secrets or custodial data is lost. Sometimes the reputational impact incurred after a breach is much more costly to an organization than the actual dollar amount of the data stolen. For example, I am much more likely to still do business with an organization whose financials were stolen as opposed to an organization who allowed my personal information to be compromised. So even though the theft of an organization’s financial statements might cost the organization more money, it may not result in the same reputational impact if custodial data was compromised. Many times the reputational impact can be much more costly than the monetary impact.

In summary, I believe there are simply way too many variables and not enough research done in order to truly determine what the value of assets are that compromise an organization’s portfolio. Even if we were to take this conclusion at face value, who cares about the value of the assets? The most important question to ask is the impact to the organization if sensitive assets were to be compromised.